How micro-segmentation can prevent the pieces of your cloud infrastructure from getting picked off

Enterprises love the cloud. The cloud gives them rapid re-configuration and on-demand scaling of their infrastructure, as well as plenty of options: public clouds, private clouds, and hybrid clouds. Powered by Infrastructure-as-a-Service (IaaS) platforms like OpenStack and AWS, the cloud’s twin benefits of agility and flexibility can make applications and workflows responsive and nimble, like a herd of gazelle sprinting across the African savanna.

The atomization of the perimeter

Cloud benefits, however come with uniquely cloud risks, as the explosion of cloud computing has naturally led to the multiplication of the attack surface. Since it has become so easy to move things across infrastructure boundaries, lots of boundaries get crossed many times, even within the same workflow. As the provisioning and deployment of assets becomes more granular, these individual infrastructure elements move between cloud platforms, providers, and datacenters (this is especially true in hybrid cloud environments). In such an environment, the traditional security mindset of heavy emphasis on perimeter defenses and high-level network segmentation is outdated.

In order to achieve true defense in depth in today’s fluid and granular cloud environments, every application needs its own layer of protection. Otherwise, those infrastructure pieces are like young, frail, sick, or old gazelles who stray from the safety of the herd – and are quickly picked off. To prevent hackers from exploiting the soft targets behind an increasingly nebulous perimeter, enterprises need to adopt micro segmentation. This is a necessity since each application essentially has its own perimeter.

Micro-segmentation gives each gazelle spread across the savanna the same safety as the whole herd.

Making micro-segmentation work

Like traditional, higher-level network segmentation, micro-segmentation relies on the creation and enforcement of rules in order to work. Generating, testing, and deploying these specific rules remains a tough challenge for organizations trying to implement micro-segmentation. With a great deal of applications, processes, protocols, and ports, there are a bewildering number of possible interactions to allow or block. In fact, just gaining visibility into these interactions within the infrastructure is a common hurdle, especially down to the process level.

Bad rules can block necessary legitimate data flow, breaking an application and causing unnecessary downtime. Rules that are too permissive and lack sufficient granularity will fail to detect or block malicious east-west traffic, leading to excessive “dwell time” (the time delay between an intrusion and its discovery) during which attackers can move laterally throughout your infrastructure undetected, exfiltrating data. Mega-breaches are the result.

The need for unified tools in heterogeneous environments

Compounding the task of matching a myriad of rules to complex cloud-based workflows is the fact that the IT infrastructure of many enterprises is very heterogeneous: bare-metal servers, containers, VMs, different operating systems, and multiple IaaS providers. Successful enterprise-wide micro-segmentation must seamlessly work across all of it, otherwise gaping holes in protection will exist that attackers will use as wide-open hallways for lateral movement through systems.

Those hallways must be guarded and continuously monitored, because attackers will get past the front door—your perimeter.

Although perimeter defenses like outside-facing firewalls are still necessary, they are not sufficient. They will not block zero-day attacks which your team and technology perhaps didn’t know to look out for. Hybrid cloud environments are especially vulnerable to zero-day attacks due to the complexity and multidimensionality which we’ve discussed above. In fact, according to one recent survey, 80% of organizations utilizing IaaS use services from more than one provider.

This is why truly portable micro-segmentation solutions are what’s really needed for constantly evolving hybrid cloud environments. Micro-segmentation tools built into OpenStack and AWS for example will only work on those platforms, defeating the flexibility and agility benefits of the cloud. When applications shift from one IaaS platform to another, those micro-segmentation policies must be exported, translated, and then re-implemented on the new platform. If the migration also includes some sort of network interface or application change, then those changes must be rolled into the process as well.

Thankfully, the micro-segmentation products available on the market include comprehensive, vendor agnostic solutions which include network traffic and topology discovery down to the process level, automatic rule recommendation, flexible rule engines with tools to easily create, test, and deploy rules, and integrated threat detection.

By leveraging these cloud security solutions, IT security professionals can keep with their constantly changing hybrid cloud environments, and one step ahead of hackers trying to move around freely within their infrastructure.